If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

can't stomp trojan.Tofger

So, there's a machine in the shop that was overrun with virii (350 instances of bagle, stuff like that). The machine is running xp home sp1 (not the latest updates, as you could guess). I have been able to kill 99% of all the problems... but there is constantly a problem with dltime.dll.

Here's what I've done so far:
note: all scanners were up-to-date
1. turn off system restore
2. cleaned out temps/cookies/prefetch/etc
3. booted into winpe and removed the final _restoreXXXXXXXX files
4. while in winpe I ran mcafee's command line scanner
· Found dltime.dll, but it couldn't remove the file
5. In winpe, attempted manual removal of dltime.dll, which sort of worked. But it returned on next boot
6. removed hard drive from machine, ran norton scan. Found, but removal and quarantine failed
7. played around with msconfig/regedit(hklm and hklu)/safemode/HJT/services to no avail
8. Went online and found info from norton and other places.
· learned of secondary file %windir%\svchost.dll
9. Followed norton's manual removal guide, no dice
I've repeated the above multiple times while manually removing both svchost.dll (the one in c:\windows) and dltime.dll. No matter what I do the files keep returning, keep executing, and look as though they are locked (all scans fail delete/quarantine). Is it possible for a virus to add itself to the winXP protected file list, so that it would be returned everytime I boot? There are no attributes on the files (not system or hidden) and this is just annoying me.

You must be missing something, possibly in the registry. In this situation I would be tempted to backup and then scratch the Hdd and re-install....................There does come a time when cleaning a system is more time consuming and difficult than is worth the effort.

Not only the time aspect but as the box has been compromised with a keylogger, personaly, I would not trust it again untill it has been wiped. I appreciate that a fresh install is not always possible or warranted but in this instance I think that it maybe.

What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Nihil: I will try pest patrol, thanks for recomending it. I have run aaw and sb:sod (yep, updated and all that jazz) but there was no change (no ad/spy ware on the machine, user was good about using aaw)

Jinxy: Yeah, I'm the same way. The last time a machine of mine was compromised (3 years ago when i was using kazaa) I formatted my machines, changed passwords, all that good stuff. I would like to just format, but that's not what he wants.

go to the folder the virus was found in. look for files with the same date. check the properties of all the exes and dlls in that folder to make sure they show version information. there are many ways to download that av's wont detect, legit apps that are used to hide files and processs and start processes. rename them just incase they are not malicious and necessary for something to run

use pslist.exe or any good process viewer to show processes. check them on http://www.answersthatwork.com/Taskl...s/tasklist.htm kill processes you dont know. did this on a box last week. after killing a strange process and running pslist again a few more processes were visable including firedeamon

run hijackthis to have a better look threw the reg.

run tasklist /svc to see what is being started using svchost.

Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

tedob:
I started process explorer via hklm/s/m/w/cv/run and saw the process tree which was starting all the problems. Strangely, there was a windowsupdateXXXXXXX.exe (or something like that) being started from the start menu's start folder (which I cleared out before, it must've been replaced during a reboot). This program created a file in temporary files which started the false svchost. If you sit and watch it, the program runs some cmd windows in the background which makes svchost a stand alone process (removes it from the other process tree). Finally, the false windowsupdate program exits leaving svchost.

So anyway, i killed the processes, deleted the files, and now it's all good. Thanks.

Nihil: Pest patrol did find the false svchost, but it couldn't do anything other than delete it, at which point the file would come back. Good idea, but it didn't help in this application.

annihilator_god, just a quick question. Do you have Spybot's TeaTimer on? If I remember correctly, someone mentioned that TeaTimer can inadvertently protect malicious registry entries by denying changes to the registry. Also, in addition to what Tedob said, maybe you could post your results from a HiJackThis scan.
Anyways, I checked around and compiled a list of registry entries that I could find in relation to Trofger:

From Symantec:

%Windir%\MSTO32.DLL
%Windir%\[File1]
%Windir%\SYSINI.INI
%System%\[File2]
%System%\[File3]
%Windir%\msrt32.dll
%Windir%\msin32.dll
%Windir%\dorta32.dll
%Windir%\durta32.dll
%Windir%\sufer32.dll
%Windir%\byrta32.dll
%Windir%\dltime.dll
[File1] can be one of SVCHOST.EXE, SACHOST.EXE, SLHOST.EXE, SUHOST.EXE, SXHOST.EXE, SYSTEM.EXE, or WINUPD.EXE.
[File2] can be one of SVCHOSTC.EXE, SACHOSTC.EXE, WINU.EXE, or STROPEN.EXE.
[File3] can be either of SVCHOSTS.EXE or SACHOSTS.EXE.

When run, the Trojan creates the files svchost.exe and dltime.dll in the %windows% directory.
The Trojan creates the following registry keys
HKLM\SOFTWARE\Microsoft\DownloadManager\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Setup experation = "C:\\WINDOWS\\svchost.exe"

Maybe these can better help isolate all the entries. I know you mentioned going to some sites and following the removal instructions but maybe we can help you double check your registry and compare it to the lists from Sophos and Symantec. With the HiJackThis log (if you can post it), I'm sure we can figure this one out.

**I see you have resolved the problem above. It took me too damn long to reply . Good Job.

The object of war is not to die for your country but to make the other bastard die for his - George Patton

Why are those still even on the list? I mean, here it is, looks like some pretty random file-names and not to mention they are in system32 and windows directorys... thats probably the first thing I'd screw around with.